Viewing your PIV credential certificates

Almost all the methods for using your PIV credential for networks, applications, digital signatures and encryption is using the certificates and key pairs stored on your PIV credential. There are scenarios where the additional information such as biometrics are accessed and used. We will cover how to view the information for these additional scenarios and for developers in a set of Developer Guides.

View

You may see many certificates. To open and view the certificate details, double-click on any certificate.

Exporting PIV Certificates

We won’t always be using graphical user interfaces to view the PIV credential certificates. Throughout the guides, we’ll be adding examples of code, tools and common command line options for viewing and troubleshooting configurations. The examples may use files representing the public certificate(s).

Export

Look for an Export button and save the file as DER or PEM encoded, with a file extension of cer (.cer).

Keys are safe!

Don't worry - the public certificates are public. The private keys are always stored safely on your PIV credential and can never be exported.

Understanding PIV Certificates

Viewing the certificate information on your PIV credential may be interesting if you are a general user. Understanding the certificate information is a must if you are a program manager or engineer developing applications and designing solutions for using PIV credentials.

Within the US Federal Government, the certificate information and the PIV credential information is governed by Standards, Policies, and implementation specific choices (options) across all agency credential providers.

There are four pairs of certificates and key pairs on a PIV credential. One pair is ALWAYS on every PIV credential and three pairs are SOMETIMES on a PIV credential. You can review the basics of a PIV Credential to view the four pairs and purposes.

The table below outlines the general information for the PIV credential certificates, certificate extensions, and design considerations. All information is presented in human-readable formats.

Six Years

PIV credentials and certificates have changed over time due to updates in standards. Since users may have credentials for up to six years and there are both optional and mandatory elements, the information presented is what is valid for ALL PIV credentials and certificates currently in use.

Principal Name values are not required by Policy to be present in all Subject Alternative Name extensions. The Card UUID value is only required to be present for new or replacement PIV credentials issued after August 2014. The Card UUID may also commonly be referred to as the Global Unique Identifier (GUID).

Card Authentication

Sometimes

Digital Signature

id-PIV-cardAuth

Name = FASC-N; uniformResourceIdentifier = UUID

Card Authentication is required to be included in new and replacement PIV credentials issued after August 2014; it is not expected that all PIV credentials will have Card Authentication certificates until September 2019. The Card UUID value is only required to be present for new or replacement PIV credentials issued after August 2014. The Card UUID may also commonly be referred to as the Global Unique Identifier (GUID).

Digital Signature

Sometimes

Digital Signature, Non-Repudiation

none required

rfc822name = email address

Email address is not required by Policy. Email address may be multi-valued attributes and include email aliases.

Encryption

Sometimes

Key Encipherment

none required

rfc822name = email address

Email address is not required by Policy. Multiple encryption certificates may be available representing the historical encryption key pairs available.

Additional useful information:

All key pairs for users are 2048 bit (RSA) keys

All certificates issued and certified as PIV are SHA-2 signed

If you are working with Common Access Cards, you may still encounter SHA-1 signed

There has been testing in some infrastructures to migrate to Elliptic Curve Cryptography (ECC), but there are no ECC certificates for users in production as of the date of this guide

There has been testing in some infrastructures for migration to 3072 bit (RSA) certificates, but there are no 3072 bit certificates for users in production as of the date of this guide

In-depth details on the certificate profiles are contained in the current and historical Federal Public Key Infrastructure (FPKI) Policy documents. This table contains links to the most recent documents: